Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
PR:L required (reader-role UI account mandatory); cache deletion yields limited I:L and A:L with no confidentiality breach (C:N) and no scope change (S:U).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.
AnalysisAI
Improper authorization in BunkerWeb's web UI middleware allows authenticated reader-role accounts to permanently delete WAF job cache files in versions 1.6.2 through 1.6.11. The BiscuitMiddleware bypass list incorrectly included the /cache/ URL prefix, causing the POST /cache/delete route to skip Biscuit role-based access control and enforce only Flask's @login_required decorator, making write-privileged cache operations accessible to any authenticated user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid BunkerWeb web UI account with at minimum the reader (non-admin) role - unauthenticated access is not sufficient, as Flask's `@login_required` decorator remains enforced. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L is well-calibrated to the actual impact: network-accessible, low complexity, requiring low-privilege authentication, with limited integrity and availability impact but no confidentiality breach or scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a valid BunkerWeb reader-role UI credential (via phishing, credential stuffing, or insider access) authenticates to the web interface and issues a standard `POST /cache/delete` HTTP request. Because BiscuitMiddleware exempts all `/cache/` paths from role evaluation, the request is processed without any write-privilege check and the targeted job cache files are permanently deleted. … |
| Remediation | Upgrade BunkerWeb to version 1.6.12, which is the vendor-released patch that removes `/cache/` from the BiscuitMiddleware bypass list and enforces full role-based authorization on all cache routes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45032